CVE-2023-44487 "HTTP/2 Rapid Reset" Response
Incident Report for Aptible
We are aware of the recently disclosed vulnerability CVE-2023-44487, also known as the "HTTP/2 Rapid Reset Attack," which poses a potential risk of Denial of Service (DoS) attacks on HTTP/2-capable web servers.

We are actively monitoring the situation and have conducted in-house tests on our HTTPS Endpoints that utilize AWS Application Load Balancers (ALBs). Currently, there is no evidence suggesting Aptible is vulnerable to this particular security concern. AWS has put in place extra measures to mitigate this vulnerability, ensuring that our services stay secure and fully functional. More information here:
- AWS: CVE-2023-44487 - HTTP/2 Rapid Reset Attack:

On Endpoint Types at Aptible:
- HTTP(S) Endpoints: these use Application Load Balancers (ALBs) and have mitigations in place to address the vulnerability. Some legacy endpoints created before 2018 use legacy Elastic Load Balancers (ELBs), which do not support HTTP/2 and are not vulnerable.
- TLS / TCP Endpoints: if customers are exposing custom HTTP/2-capable web servers behind these Endpoints, we recommend verifying with your web server vendor to determine if you are affected and, if so, promptly install the latest patches to mitigate this issue.
Posted Oct 11, 2023 - 14:00 EDT